The New York State Department of Financial Services announced a $5 million penalty against Carnival Corp. for “significant” cybersecurity failures, including not implementing basic protocols to prevent four separate data breaches from 2019-21.
Carnival Cruise Line reached a $1.25 million settlement with 46 attorneys general stemming from its 2019 data breach that involved the personal information of 180,000 Carnival employees and customers nationwide.
Editor In Chief Kyle Brasseur recaps popular points of discussion across Compliance Week’s two-day Third-Party Risk Management Summit held in Chicago.
More and more commercial organizations are voluntarily adopting cybersecurity risk management frameworks like NIST CSF, COBIT, ISO, and others considering recent legislation, executive orders, and reporting requirements.
Compliance programs globally expect to shoulder more responsibilities in 2022, according to Kroll’s latest Anti-Bribery and Corruption Benchmarking Report.
Two SEC commissioners from opposite sides of the political aisle took slightly different positions on how to assess the liability of poor performing chief compliance officers as part of the Day 2 opening keynote at Compliance Week’s National Conference.
The Securities and Exchange Commission announced plans to nearly double the number of employees assigned to its Cyber Unit, which has had its name changed to emphasize the agency’s pursuit of crypto asset-related investigations.
Learn how to build a third-party risk management program with cybersecurity risk at the forefront.
Where is your unstructured data lurking? With a record number of cyberattacks and the introduction of robust privacy laws like the GDPR and CPRA, it’s time to discover your data.
Compliance departments must be up to speed with emerging cybersecurity threats. This includes understanding the new technologies, processes, and procedures their organization will need to employ to ensure they don’t run afoul of the modern data privacy environment.
The number of cybersecurity breaches disclosed by public companies in 2021 increased 44 percent while reports of ransomware attacks also surged, according to the latest Audit Analytics study.
Approximately 8.2 million U.S. customers of Cash App Investing have been notified of a data breach carried out by a former employee of the mobile payment service provider.
Regulation and guidance from U.S. agencies and the White House, plus compliance challenges stemming from a two-year global pandemic and Russia’s ongoing invasion of Ukraine, made the first quarter of 2022 a novel risk environment for regulated businesses.
Legal and compliance teams ranked data privacy and cybersecurity threats the No. 1 biggest risk entering 2022. Further survey results reveal roadblocks to organizations’ proactive compliance.
Ukrainian telecommunications company Ukrtelecom is in the process of restoring its services after a “powerful” cyberattack wreaked havoc on its operations.
The Public Company Accounting Oversight Board published its annual report highlighting feedback received from its discussions with audit committee chairs at U.S. public companies during the previous year.
Regulators in Norway, Germany, Lithuania, Estonia, Denmark, and Sweden address how companies can prepare for increased data protection and cybersecurity risks in the wake of Russia’s invasion of Ukraine.
Residual Pumpkin Entity, the former owner of CafePress, must pay $500,000 in redress under a proposed settlement with the Federal Trade Commission addressing allegations CafePress failed to secure personal data and covered up a data breach.
The Irish Data Protection Commission fined Meta’s Irish subsidiary 17 million euros (U.S. $18.6 million) for a series of personal data breaches that took place nearly four years ago.
Public companies would have to report material cybersecurity incidents no later than four business days after they occur if a rule proposed by the Securities and Exchange Commission takes effect.
A keynote with two SEC commissioners; interactive sessions on global sanctions, ESG, and ethical leadership; and a new conference location and format highlight Dave Lefort’s list of reasons to be excited for CW’s first in-person event in nearly three years.
As the West seeks to isolate Russia, the country might retaliate with state-sponsored cyberattacks. Although Russia is suspected to have launched such attacks before, the scale and scope could be much bigger this time, experts warn.
More than nine months after being targeted by a ransomware attack, Colonial Pipeline has named Adam Tice as its first chief information security officer.
Two prominent audit committee chairs speak to the results of a Deloitte Center for Board Effectiveness and Center for Audit Quality report on audit committee practices and the major issues audit committees face today.
The Department of Justice named veteran prosecutor Eun Young Choi to serve as the first director of its newly created National Cryptocurrency Enforcement Team.
A continuous monitoring cybersecurity strategy for third-party risks goes a long way toward proactively identifying external vulnerabilities. At CW’s virtual Cyber Risk & Data Privacy Summit, a panel of experts shared leading practices.
A group of experts at CW’s virtual Cyber Risk & Data Privacy Summit explained how complying with data privacy regulations from Day 1 can provide high-growth companies with certain competitive advantages.
A panel of cybersecurity experts shared tips for achieving continuous assurance and getting necessary buy-in at CW’s virtual Cyber Risk & Data Privacy Summit.
Rachael Pashkevich Koontz, senior corporate counsel of cybersecurity compliance at T-Mobile, shared her opinions on cybersecurity certifications and determining the right fit for certain organizations at CW’s virtual Cyber Risk & Data Privacy Summit.
The Department of Justice arrested two individuals over an alleged conspiracy to launder approximately $4.5 billion worth of cryptocurrency stolen in the 2016 hack of digital asset trading platform Bitfinex.
Marie-Christine Vittet, vice president of compliance at hospitality chain Accor, shares with Compliance Week the company’s journey toward a global data privacy compliance program.
The Hellenic Data Protection Authority fined mobile phone operator Cosmote and its parent company OTE a total of €9.25 million (U.S. $10.6 million) for a data breach caused by a September 2020 cyberattack and for illegally processing customer data.
The “patient zero” of fictional private utility company Vulnerable Electric’s ransomware crisis learns her fate.
Whether fictional private utility company Vulnerable Electric pays the ransom or not in the aftermath of its cyber incident, the two pathways quickly splinter off in different directions with varied endings, each with important lessons to be learned.
The field of cybersecurity features a growing list of terminology to describe the many forms, channels, and motivations behind cyberattacks and hacking culture. Learn further definitions for some key terms featured throughout the ransomware case study.
No matter what, the deck is stacked against fictional private utility company Vulnerable Electric as it weighs whether to pay the $5 million ransom demanded by a cybercriminal who breached its systems. Which path do you take?
Systems at fictional private utility company Vulnerable Electric remain impacted in the aftermath of a ransomware attack, but the chief executive decides it’s time to be forthright with employees and customers.
With Day 2 of fictional private utility company Vulnerable Electric’s ransomware crisis comes the need to grasp the extent of its situation. The cyber incident response team’s synchronized efforts are pivotal as time is of the essence.
Following the events that triggered a double extortion ransomware attack, the CEO of fictional private utility company Vulnerable Electric mobilizes her cyber incident response team to begin assessing the path forward to dealing with the cybercriminal(s).
When one of fictional private utility company Vulnerable Electric’s most dedicated employees falls victim to a social engineering hack, her actions in the immediate aftermath are crucial to what will soon become a crisis for the C-suite.
Learn through the eyes of the C-suite at Vulnerable Electric, a fictional private utility company impacted by a significant ransomware attack, as part of Compliance Week’s third case study.
The Biden administration announced an action plan to collaborate with owners and operators in the water sector to deploy technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings.
The Securities and Exchange Commission is kicking the tires on new cybersecurity and data privacy disclosure requirements for investment companies, investment advisers, broker-dealers, and public companies, according to agency Chair Gary Gensler.
Diversity, equity, and inclusion; prioritizing ESG; business continuity; and more highlight the latest edition of NAVEX’s annual list of risk and compliance trends worth monitoring.
Nearly €1.1 billion (U.S. $1.2 billion) worth of fines have been issued against organizations in the past year for violations of the General Data Protection Regulation, according to the latest annual report by law firm DLA Piper.
The Accellion data breach that last year affected a variety of private- and public-sector organizations and compromised the personal data of millions of individuals could be resolved in an $8.1 million class-action settlement.
Morgan Stanley has agreed to establish a $60 million fund to settle a class-action lawsuit filed by nearly a dozen customers regarding personal data that was compromised when the bank decommissioned two wealth management centers.
If 2021 was about transition under the Biden administration, 2022 is looking as if it will be a year of action. CW Director of Compliance Programs & Training Julie DiMauro shares her list of key areas she expects to receive enhanced scrutiny in the year ahead.
Desjardins Group has reached a proposed C$201 million (U.S. $155 million) settlement agreement in a class-action lawsuit following a long-running data breach that ultimately compromised the personal information of nearly 10 million individuals in Canada and abroad.
The most dramatic increase in audit committee disclosures in proxy statements for the second consecutive year was in responsibility for cybersecurity risk oversight, according to the latest report from the Center for Audit Quality and Audit Analytics.